Back to skill

Security audit

Tokenlab Native Endpoints

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed TokenLab API guidance skill with no executable code, persistence, or hidden local access.

Install this only if you intend to route requests through TokenLab. Treat prompts, files, and API keys used with the example calls as data shared with that service, and avoid sending secrets or private content unless your TokenLab account and policies allow it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (7)

External Transmission

Medium
Category
Data Exfiltration
Content
## Endpoint families

- OpenAI-compatible chat: `POST https://api.tokenlab.sh/v1/chat/completions`
- OpenAI Responses: `POST https://api.tokenlab.sh/v1/responses`
- Anthropic Messages: `POST https://api.tokenlab.sh/v1/messages`
- Gemini native generate content: `POST https://api.tokenlab.sh/v1beta/models/{model}:generateContent`
Confidence
50% confidence
Finding
https://api.tokenlab.sh/

External Transmission

Medium
Category
Data Exfiltration
Content
## Endpoint families

- OpenAI-compatible chat: `POST https://api.tokenlab.sh/v1/chat/completions`
- OpenAI Responses: `POST https://api.tokenlab.sh/v1/responses`
- Anthropic Messages: `POST https://api.tokenlab.sh/v1/messages`
- Gemini native generate content: `POST https://api.tokenlab.sh/v1beta/models/{model}:generateContent`
- Model catalog: `GET https://api.tokenlab.sh/v1/models`
Confidence
50% confidence
Finding
https://api.tokenlab.sh/

External Transmission

Medium
Category
Data Exfiltration
Content
- OpenAI-compatible chat: `POST https://api.tokenlab.sh/v1/chat/completions`
- OpenAI Responses: `POST https://api.tokenlab.sh/v1/responses`
- Anthropic Messages: `POST https://api.tokenlab.sh/v1/messages`
- Gemini native generate content: `POST https://api.tokenlab.sh/v1beta/models/{model}:generateContent`
- Model catalog: `GET https://api.tokenlab.sh/v1/models`
- Task-specific model shortlist: `GET https://api.tokenlab.sh/v1/models?recommended_for=<scene>`
Confidence
50% confidence
Finding
https://api.tokenlab.sh/

External Transmission

Medium
Category
Data Exfiltration
Content
- OpenAI-compatible chat: `POST https://api.tokenlab.sh/v1/chat/completions`
- OpenAI Responses: `POST https://api.tokenlab.sh/v1/responses`
- Anthropic Messages: `POST https://api.tokenlab.sh/v1/messages`
- Gemini native generate content: `POST https://api.tokenlab.sh/v1beta/models/{model}:generateContent`
- Model catalog: `GET https://api.tokenlab.sh/v1/models`
- Task-specific model shortlist: `GET https://api.tokenlab.sh/v1/models?recommended_for=<scene>`
- Model contract: `GET https://api.tokenlab.sh/v1/models/:model`
Confidence
50% confidence
Finding
https://api.tokenlab.sh/

External Transmission

Medium
Category
Data Exfiltration
Content
- OpenAI Responses: `POST https://api.tokenlab.sh/v1/responses`
- Anthropic Messages: `POST https://api.tokenlab.sh/v1/messages`
- Gemini native generate content: `POST https://api.tokenlab.sh/v1beta/models/{model}:generateContent`
- Model catalog: `GET https://api.tokenlab.sh/v1/models`
- Task-specific model shortlist: `GET https://api.tokenlab.sh/v1/models?recommended_for=<scene>`
- Model contract: `GET https://api.tokenlab.sh/v1/models/:model`
Confidence
50% confidence
Finding
https://api.tokenlab.sh/

External Transmission

Medium
Category
Data Exfiltration
Content
- Anthropic Messages: `POST https://api.tokenlab.sh/v1/messages`
- Gemini native generate content: `POST https://api.tokenlab.sh/v1beta/models/{model}:generateContent`
- Model catalog: `GET https://api.tokenlab.sh/v1/models`
- Task-specific model shortlist: `GET https://api.tokenlab.sh/v1/models?recommended_for=<scene>`
- Model contract: `GET https://api.tokenlab.sh/v1/models/:model`

## Preferred approach
Confidence
50% confidence
Finding
https://api.tokenlab.sh/

External Transmission

Medium
Category
Data Exfiltration
Content
- Gemini native generate content: `POST https://api.tokenlab.sh/v1beta/models/{model}:generateContent`
- Model catalog: `GET https://api.tokenlab.sh/v1/models`
- Task-specific model shortlist: `GET https://api.tokenlab.sh/v1/models?recommended_for=<scene>`
- Model contract: `GET https://api.tokenlab.sh/v1/models/:model`

## Preferred approach
Confidence
50% confidence
Finding
https://api.tokenlab.sh/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.